GCP IAM Updates Detected

roles/aiplatform.admin

@@ -201,6 +201,7 @@
     "aiplatform.indexes.get",
     "aiplatform.indexes.list",
     "aiplatform.indexes.update",
+    "aiplatform.locations.evaluateInstances",
     "aiplatform.locations.get",
     "aiplatform.locations.list",
     "aiplatform.metadataSchemas.create",
@@ -281,6 +282,19 @@
     "aiplatform.pipelineJobs.delete",
     "aiplatform.pipelineJobs.get",
     "aiplatform.pipelineJobs.list",
+    "aiplatform.provisionedThroughputs.create",
+    "aiplatform.provisionedThroughputs.list",
+    "aiplatform.ragCorpora.create",
+    "aiplatform.ragCorpora.delete",
+    "aiplatform.ragCorpora.get",
+    "aiplatform.ragCorpora.list",
+    "aiplatform.ragCorpora.query",
+    "aiplatform.ragCorpora.update",
+    "aiplatform.ragFiles.delete",
+    "aiplatform.ragFiles.get",
+    "aiplatform.ragFiles.import",
+    "aiplatform.ragFiles.list",
+    "aiplatform.ragFiles.upload",
     "aiplatform.reasoningEngines.create",
     "aiplatform.reasoningEngines.delete",
     "aiplatform.reasoningEngines.get",

roles/aiplatform.modelMonitoringServiceAgent

@@ -5,6 +5,7 @@
     "aiplatform.batchPredictionJobs.create",
     "aiplatform.batchPredictionJobs.get",
     "aiplatform.batchPredictionJobs.list",
+    "aiplatform.locations.evaluateInstances",
     "bigquery.datasets.create",
     "bigquery.datasets.get",
     "bigquery.jobs.create",

roles/aiplatform.provisionedThroughputAdmin

@@ -0,0 +1,11 @@
+{
+  "description": "Grants access to use all resources related to Vertex AI Provisioned Throughput",
+  "etag": "AA==",
+  "includedPermissions": [
+    "aiplatform.provisionedThroughputs.create",
+    "aiplatform.provisionedThroughputs.list"
+  ],
+  "name": "roles/aiplatform.provisionedThroughputAdmin",
+  "stage": "BETA",
+  "title": "Vertex AI Platform Provisioned Throughput Admin"
+}

roles/aiplatform.serviceAgent

@@ -189,6 +189,7 @@
     "aiplatform.indexes.get",
     "aiplatform.indexes.list",
     "aiplatform.indexes.update",
+    "aiplatform.locations.evaluateInstances",
     "aiplatform.locations.get",
     "aiplatform.locations.list",
     "aiplatform.metadataSchemas.create",
@@ -263,6 +264,18 @@
     "aiplatform.pipelineJobs.delete",
     "aiplatform.pipelineJobs.get",
     "aiplatform.pipelineJobs.list",
+    "aiplatform.provisionedThroughputs.list",
+    "aiplatform.ragCorpora.create",
+    "aiplatform.ragCorpora.delete",
+    "aiplatform.ragCorpora.get",
+    "aiplatform.ragCorpora.list",
+    "aiplatform.ragCorpora.query",
+    "aiplatform.ragCorpora.update",
+    "aiplatform.ragFiles.delete",
+    "aiplatform.ragFiles.get",
+    "aiplatform.ragFiles.import",
+    "aiplatform.ragFiles.list",
+    "aiplatform.ragFiles.upload",
     "aiplatform.reasoningEngines.create",
     "aiplatform.reasoningEngines.delete",
     "aiplatform.reasoningEngines.get",

roles/aiplatform.user

@@ -189,6 +189,7 @@
     "aiplatform.indexes.get",
     "aiplatform.indexes.list",
     "aiplatform.indexes.update",
+    "aiplatform.locations.evaluateInstances",
     "aiplatform.locations.get",
     "aiplatform.locations.list",
     "aiplatform.metadataSchemas.create",
@@ -263,6 +264,18 @@
     "aiplatform.pipelineJobs.delete",
     "aiplatform.pipelineJobs.get",
     "aiplatform.pipelineJobs.list",
+    "aiplatform.provisionedThroughputs.list",
+    "aiplatform.ragCorpora.create",
+    "aiplatform.ragCorpora.delete",
+    "aiplatform.ragCorpora.get",
+    "aiplatform.ragCorpora.list",
+    "aiplatform.ragCorpora.query",
+    "aiplatform.ragCorpora.update",
+    "aiplatform.ragFiles.delete",
+    "aiplatform.ragFiles.get",
+    "aiplatform.ragFiles.import",
+    "aiplatform.ragFiles.list",
+    "aiplatform.ragFiles.upload",
     "aiplatform.reasoningEngines.create",
     "aiplatform.reasoningEngines.delete",
     "aiplatform.reasoningEngines.get",

roles/aiplatform.viewer

@@ -109,6 +109,12 @@
     "aiplatform.persistentResources.list",
     "aiplatform.pipelineJobs.get",
     "aiplatform.pipelineJobs.list",
+    "aiplatform.provisionedThroughputs.list",
+    "aiplatform.ragCorpora.get",
+    "aiplatform.ragCorpora.list",
+    "aiplatform.ragCorpora.query",
+    "aiplatform.ragFiles.get",
+    "aiplatform.ragFiles.list",
     "aiplatform.reasoningEngines.get",
     "aiplatform.reasoningEngines.list",
     "aiplatform.reasoningEngines.query",

roles/anthosservicemesh.serviceAgent

@@ -27,6 +27,7 @@
     "compute.healthChecks.update",
     "compute.healthChecks.use",
     "compute.healthChecks.useReadOnly",
+    "compute.instances.use",
     "compute.networkEndpointGroups.attachNetworkEndpoints",
     "compute.networkEndpointGroups.create",
     "compute.networkEndpointGroups.delete",

roles/apigee.runtimeAgent

@@ -5,6 +5,7 @@
     "apigee.canaryevaluations.create",
     "apigee.canaryevaluations.get",
     "apigee.entitlements.get",
+    "apigee.environments.get",
     "apigee.ingressconfigs.get",
     "apigee.instances.reportStatus",
     "apigee.operations.get",

roles/auditmanager.serviceAgent

@@ -2,6 +2,8 @@
   "description": "Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.",
   "etag": "AA==",
   "includedPermissions": [
+    "accessapproval.settings.get",
+    "artifactregistry.repositories.get",
     "bigquery.datasets.get",
     "certificatemanager.certs.list",
     "certificatemanager.trustconfigs.list",
@@ -565,7 +567,10 @@
     "cloudasset.assets.queryResource",
     "cloudasset.assets.searchAllIamPolicies",
     "cloudasset.assets.searchAllResources",
+    "cloudkms.cryptoKeys.get",
     "cloudkms.cryptoKeys.list",
+    "cloudkms.keyRings.list",
+    "cloudsecurityscanner.scans.get",
     "cloudsql.instances.get",
     "cloudsql.instances.list",
     "compute.autoscalers.list",
@@ -594,10 +599,14 @@
     "compute.zones.list",
     "container.clusters.get",
     "container.clusters.list",
+    "dlp.inspectTemplates.list",
+    "dlp.jobTriggers.list",
     "dns.managedZones.list",
+    "iam.serviceAccounts.get",
     "iam.serviceAccounts.getIamPolicy",
     "logging.buckets.list",
     "monitoring.timeSeries.list",
+    "orgpolicy.constraints.list",
     "orgpolicy.policy.get",
     "privateca.certificates.list",
     "recommender.cloudAssetInsights.get",

roles/automlrecommendations.admin

@@ -46,6 +46,7 @@
     "retail.products.list",
     "retail.products.purge",
     "retail.products.update",
+    "retail.retailProjects.acceptDataTerms",
     "retail.retailProjects.get",
     "retail.userEvents.create",
     "retail.userEvents.import",

roles/bigquery.admin

@@ -110,6 +110,7 @@
     "bigquery.tables.setIamPolicy",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "bigquery.tables.updateIndex",
     "bigquery.tables.updateTag",
     "bigquery.transfers.get",
     "bigquery.transfers.update",

roles/bigquery.dataEditor

@@ -36,6 +36,7 @@
     "bigquery.tables.restoreSnapshot",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "bigquery.tables.updateIndex",
     "bigquery.tables.updateTag",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"

roles/bigquery.dataOwner

@@ -66,6 +66,7 @@
     "bigquery.tables.setIamPolicy",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "bigquery.tables.updateIndex",
     "bigquery.tables.updateTag",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"

roles/container.serviceAgent

@@ -25,6 +25,12 @@
     "bigquery.tables.update",
     "bigquery.tables.updateData",
     "binaryauthorization.policy.evaluatePolicy",
+    "certificatemanager.certissuanceconfigs.create",
+    "certificatemanager.certissuanceconfigs.delete",
+    "certificatemanager.certissuanceconfigs.get",
+    "certificatemanager.certissuanceconfigs.list",
+    "certificatemanager.certissuanceconfigs.update",
+    "certificatemanager.certissuanceconfigs.use",
     "certificatemanager.certmapentries.create",
     "certificatemanager.certmapentries.delete",
     "certificatemanager.certmapentries.get",

roles/datafusion.admin

@@ -23,10 +23,17 @@
     "datafusion.instances.upgrade",
     "datafusion.locations.get",
     "datafusion.locations.list",
+    "datafusion.namespaces.create",
+    "datafusion.namespaces.delete",
+    "datafusion.namespaces.get",
+    "datafusion.namespaces.getIamPolicy",
+    "datafusion.namespaces.list",
     "datafusion.namespaces.provisionCredential",
     "datafusion.namespaces.readRepository",
+    "datafusion.namespaces.setIamPolicy",
     "datafusion.namespaces.setServiceAccount",
     "datafusion.namespaces.unsetServiceAccount",
+    "datafusion.namespaces.update",
     "datafusion.namespaces.updateRepositoryMetadata",
     "datafusion.namespaces.writeRepository",
     "datafusion.operations.cancel",

roles/datafusion.developer

@@ -11,8 +11,12 @@
     "datafusion.instances.listTagBindings",
     "datafusion.locations.get",
     "datafusion.locations.list",
+    "datafusion.namespaces.get",
+    "datafusion.namespaces.getIamPolicy",
+    "datafusion.namespaces.list",
     "datafusion.namespaces.provisionCredential",
     "datafusion.namespaces.readRepository",
+    "datafusion.namespaces.update",
     "datafusion.namespaces.writeRepository",
     "datafusion.operations.get",
     "datafusion.operations.list",

roles/datafusion.operator

@@ -14,10 +14,14 @@
     "datafusion.instances.listTagBindings",
     "datafusion.locations.get",
     "datafusion.locations.list",
+    "datafusion.namespaces.get",
+    "datafusion.namespaces.getIamPolicy",
+    "datafusion.namespaces.list",
     "datafusion.namespaces.provisionCredential",
     "datafusion.namespaces.readRepository",
     "datafusion.namespaces.setServiceAccount",
     "datafusion.namespaces.unsetServiceAccount",
+    "datafusion.namespaces.update",
     "datafusion.namespaces.updateRepositoryMetadata",
     "datafusion.namespaces.writeRepository",
     "datafusion.operations.get",

roles/datafusion.serviceAgent

@@ -67,6 +67,7 @@
     "bigquery.tables.setIamPolicy",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "bigquery.tables.updateIndex",
     "bigquery.tables.updateTag",
     "bigtable.appProfiles.create",
     "bigtable.appProfiles.delete",

roles/datamigration.admin

@@ -31,6 +31,7 @@
     "datamigration.migrationjobs.create",
     "datamigration.migrationjobs.delete",
     "datamigration.migrationjobs.demoteDestination",
+    "datamigration.migrationjobs.fetchSourceObjects",
     "datamigration.migrationjobs.generateSshScript",
     "datamigration.migrationjobs.generateTcpProxyScript",
     "datamigration.migrationjobs.get",

roles/dataplex.catalogAdmin

@@ -38,6 +38,7 @@
     "dataplex.entryTypes.setIamPolicy",
     "dataplex.entryTypes.update",
     "dataplex.entryTypes.use",
+    "dataplex.operations.get",
     "dataplex.projects.search",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"

roles/dataplex.catalogEditor

@@ -33,6 +33,7 @@
     "dataplex.entryTypes.list",
     "dataplex.entryTypes.update",
     "dataplex.entryTypes.use",
+    "dataplex.operations.get",
     "dataplex.projects.search",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"

roles/dataplex.entryGroupOwner

@@ -28,6 +28,7 @@
     "dataplex.entryTypes.get",
     "dataplex.entryTypes.list",
     "dataplex.entryTypes.use",
+    "dataplex.operations.get",
     "dataplex.projects.search",
     "resourcemanager.projects.get",
     "resourcemanager.projects.list"

roles/dataplex.serviceAgent

@@ -110,6 +110,7 @@
     "bigquery.tables.setIamPolicy",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "bigquery.tables.updateIndex",
     "bigquery.tables.updateTag",
     "bigquery.transfers.get",
     "bigquery.transfers.update",

roles/dataprep.serviceAgent

@@ -51,6 +51,7 @@
     "bigquery.tables.restoreSnapshot",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "bigquery.tables.updateIndex",
     "bigquery.tables.updateTag",
     "bigquery.transfers.get",
     "bigquerymigration.translation.translate",

roles/dataproc.serviceAgent

@@ -219,6 +219,7 @@
     "compute.subnetworks.list",
     "compute.subnetworks.listEffectiveTags",
     "compute.subnetworks.listTagBindings",
+    "compute.subnetworks.setPrivateIpGoogleAccess",
     "compute.subnetworks.use",
     "compute.subnetworks.useExternalIp",
     "compute.targetPools.get",

roles/designcenter.serviceAgent

@@ -2,6 +2,38 @@
   "description": "Gives the DesignCenter API Service Account access to necessary GCP resources.",
   "etag": "AA==",
   "includedPermissions": [
+    "apphub.applications.create",
+    "apphub.applications.delete",
+    "apphub.applications.get",
+    "apphub.applications.list",
+    "apphub.applications.update",
+    "apphub.operations.get",
+    "apphub.operations.list",
+    "apphub.serviceProjectAttachments.get",
+    "apphub.serviceProjectAttachments.list",
+    "apphub.serviceProjectAttachments.lookup",
+    "config.deployments.create",
+    "config.deployments.delete",
+    "config.deployments.get",
+    "config.deployments.list",
+    "config.deployments.update",
+    "config.locations.get",
+    "config.locations.list",
+    "config.operations.cancel",
+    "config.operations.delete",
+    "config.operations.get",
+    "config.operations.list",
+    "config.previews.create",
+    "config.previews.delete",
+    "config.previews.get",
+    "config.previews.list",
+    "config.resources.get",
+    "config.resources.list",
+    "config.revisions.get",
+    "config.revisions.getState",
+    "config.revisions.list",
+    "config.terraformversions.get",
+    "config.terraformversions.list",
     "storage.buckets.create",
     "storage.buckets.delete",
     "storage.buckets.get",

roles/dlp.orgdriver

@@ -109,6 +109,12 @@
     "aiplatform.persistentResources.list",
     "aiplatform.pipelineJobs.get",
     "aiplatform.pipelineJobs.list",
+    "aiplatform.provisionedThroughputs.list",
+    "aiplatform.ragCorpora.get",
+    "aiplatform.ragCorpora.list",
+    "aiplatform.ragCorpora.query",
+    "aiplatform.ragFiles.get",
+    "aiplatform.ragFiles.list",
     "aiplatform.reasoningEngines.get",
     "aiplatform.reasoningEngines.list",
     "aiplatform.reasoningEngines.query",
@@ -230,6 +236,7 @@
     "bigquery.tables.restoreSnapshot",
     "bigquery.tables.update",
     "bigquery.tables.updateData",
+    "bigquery.tables.updateIndex",
     "bigquery.tables.updateTag",
     "bigquery.transfers.get",
     "bigquerymigration.translation.translate",